- The Health Information Trust Alliance (HITRUST) launched May 22 a certification program for the NIST Cybersecurity Framework (CSF) that makes it easier for security teams to report on their implementation of the framework to upper management, business partners, and regulators.
The certification program has two parts. First, HITRUST has developed a scorecard for describing how an organization’s security program maps to the NIST CSF’s core subcategories.
Second, HITRUST is offering an assurance certification that verifies that an organization is meeting the NIST CSF requirements and controls, explained HITRUST CEO Daniel Nutkis.
The NIST CSF consists of standards, guidelines, and best practices to manage cybersecurity risk. The framework’s prioritized, flexible, and cost-effective approach helps to promote the protection and resilience of critical infrastructure and other sectors important to the economy and national security, explained NIST.
NIST recently published Version 1.1 of its CSF, which includes updates on authentication and identity, self-assessing cybersecurity risk, managing cybersecurity within the supply chain, and vulnerability disclosure.
“A lot of organizations want to know how they are doing against the NIST cybersecurity categories,” Nutkis said. “So, our reporting is now in the NIST categories and allows organizations to get that check mark that says, ‘Yes, we are meeting the requirements not only of the HITRUST CSF [Common Security Framework] but also the NIST CSF.’ They can look at how they are doing in the format of the NIST CSF.”
Nutkis said that senior management across industries are now looking at cybersecurity in terms of the NIST categories: identify, protect, detect, respond, and recover.
The HITRUST chief said his organization incorporated the NIST CSF into its HITRUST CSF shortly after the NIST document came out and has partnered with HHS and DHS to draft the guidance for how the healthcare sector can implemented the NIST framework.
“If you are already using our framework, it is just a matter of getting assessed. And our standard assessment report now will include the NIST cybersecurity scorecard,” he said. “If you hit a certain score, we will issue you a certification against the NIST Cybersecurity Framework.”
For those who don’t go through the assessment process, they can still use the implementation guidance, which walks them through how to implement the various NIST controls. The guidance is a valid risk assessment under HIPAA as well, so it will help healthcare providers meet HIPAA requirements, he noted.
“Many organizations use their HITRUST CSF assessment as their HIPAA risk analysis and assessment. We have performed all of the background analysis to make that valid,” Nutkis said.
The HITRUST chief explained that its CSF originally stood for Common Security Framework, but with the addition of privacy requirements five years ago, it became just the CSF. The framework has expanded beyond healthcare to other industries and internationally, he noted.
“The genesis of the HITRUST CSF was to develop a methodology that healthcare could use to ensure their information was protected and would enable the free flow of information between organizations,” said Nutkis.
HITRUST doesn’t perform assessments; it certifies organizations, such as PwC, KPMG, and Deloitte, to carry out the assessments on HITRUST’s behalf.
Nutkis said that 80 percent of hospitals and insurance companies use the HITRUST CSF, as well as a number of pharmacy benefit managers, pharmaceutical companies, and smaller providers.
A NIST CSF scorecard from HITRUST provides compliance ratings for each NIST CSF core subcategory, guidance for approximating NIST CSF implementation tiers based on the compliance ratings, and consistent reporting across all critical infrastructure industries
The HITRUST CSF assurance program can also help organizations understand and report their effectiveness against other standards and best practice cybersecurity frameworks. With just one assessment, organizations can view their information privacy and security program against the HIPAA Security and Privacy Rules, NIST CSF, the EU’s General Data Protection Regulation, ISO 27001, PCI DSS, AICPA Trust Services Criteria, and SOC 2, HITRUST explained.
A recent GAO report confirmed that the HITRUST CSF is appropriate for implementing the NIST CSF. The report explained that the HITRUST CSF has been aligned with the NIST CSF and that it incorporates the NIST framework’s 135 individual security controls and the 14 individual privacy controls.
“The Healthcare and Public Health sector encourages the alignment of the NIST cybersecurity framework with existing cybersecurity guidelines currently in use within its respective sector,” the GAO report stated.
“The alignment of the framework to the Health Information Trust Alliance Framework allows organizations to demonstrate compliance with NIST through their implementation of the pre-existing Health Information Trust Alliance Framework,” it added.
GAO recommended that HHS, in cooperation with the Department of Agriculture, consult with sector partners, such as their sector coordinating council, DHS, and NIST, to develop methods for determining the level and type of framework adoption by organizations within their respective sector.